[kernel] r8406 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Sat Mar 31 20:41:20 UTC 2007

Author: dannf
Date: Sat Mar 31 20:41:20 2007
New Revision: 8406

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/unmap_hugepage_area-check-null-pte.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7
Log:
* unmap_hugepage_area-check-null-pte.dpatch
  [SECURITY] Fix a potential DoS (crash) in unmap_hugepage_area().
  No kerel-image builds appear to compile this code, so this fix is only
  for users that compile their own kernels with the Debian source and
  enable/use huge pages.
  See CVE-2005-4811

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================

--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Sat Mar 31 20:41:20 2007
@@ -37,8 +37,14 @@
     [SECURITY] Fix initialization of info->nr_pages in aio_setup_ring() to
     avoid a race that can lead to a system crash
     See CVE-2006-5754
+  * unmap_hugepage_area-check-null-pte.dpatch
+    [SECURITY] Fix a potential DoS (crash) in unmap_hugepage_area().
+    No kerel-image builds appear to compile this code, so this fix is only
+    for users that compile their own kernels with the Debian source and
+    enable/use huge pages.
+    See CVE-2005-4811
 
- -- dann frazier <dannf at debian.org>  Sat, 31 Mar 2007 13:51:04 -0600
+ -- dann frazier <dannf at debian.org>  Sat, 31 Mar 2007 14:38:33 -0600
 
 kernel-source-2.6.8 (2.6.8-16sarge6) stable-security; urgency=high
 

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7	Sat Mar 31 20:41:20 2007
@@ -7,3 +7,4 @@
 + __find_get_block_slow-race.dpatch
 + listxattr-mem-corruption.dpatch
 + aio-fix-nr_pages-init.dpatch
++ unmap_hugepage_area-check-null-pte.dpatch

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/unmap_hugepage_area-check-null-pte.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/unmap_hugepage_area-check-null-pte.dpatch	Sat Mar 31 20:41:20 2007
@@ -0,0 +1,76 @@
+From: David Gibson <david at gibson.dropbear.id.au>
+Date: Fri, 5 Aug 2005 18:59:35 +0000 (-0700)
+Subject: [PATCH] Fix hugepage crash on failing mmap()
+X-Git-Tag: v2.6.13-rc6~29
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=c7546f8f03f5a4fa612605b6be930234d602686;hp=e6cb99413da42af413c11a394538ddc8b9d201e1
+
+[PATCH] Fix hugepage crash on failing mmap()
+
+This patch fixes a crash in the hugepage code.  unmap_hugepage_area() was
+assuming that (due to prefault) PTEs must exist for all the area in
+question.  However, this may not be the case, if mmap() encounters an error
+before the prefault and calls unmap_region() to clean up any partial
+mapping.
+
+Depending on the hugepage configuration, this crash can be triggered by an
+unpriveleged user.
+
+Signed-off-by: David Gibson <david at gibson.dropbear.id.au>
+Cc: William Lee Irwin III <wli at holomorphy.com>
+Signed-off-by: Andrew Morton <akpm at osdl.org>
+Signed-off-by: Linus Torvalds <torvalds at osdl.org>
+---
+
+Ported to Debian's 2.6.8 by dann frazier <dannf at debian.org>
+
+diff -urpN kernel-source-2.6.8.orig/arch/i386/mm/hugetlbpage.c kernel-source-2.6.8/arch/i386/mm/hugetlbpage.c
+--- kernel-source-2.6.8.orig/arch/i386/mm/hugetlbpage.c	2004-08-13 23:37:42.000000000 -0600
++++ kernel-source-2.6.8/arch/i386/mm/hugetlbpage.c	2007-03-31 13:33:43.000000000 -0600
+@@ -205,6 +205,7 @@ void unmap_hugepage_range(struct vm_area
+ {
+ 	struct mm_struct *mm = vma->vm_mm;
+ 	unsigned long address;
++	pte_t *ptep;
+ 	pte_t pte;
+ 	struct page *page;
+ 
+@@ -212,7 +213,13 @@ void unmap_hugepage_range(struct vm_area
+ 	BUG_ON(end & (HPAGE_SIZE - 1));
+ 
+ 	for (address = start; address < end; address += HPAGE_SIZE) {
+-		pte = ptep_get_and_clear(huge_pte_offset(mm, address));
++		ptep = huge_pte_offset(mm, address);
++		if (! ptep)
++			/* This can happen on truncate, or if an
++			 * mmap() is aborted due to an error before
++			 * the prefault */
++			continue;
++		pte = ptep_get_and_clear(ptep);
+ 		if (pte_none(pte))
+ 			continue;
+ 		page = pte_page(pte);
+diff -urpN kernel-source-2.6.8.orig/arch/ia64/mm/hugetlbpage.c kernel-source-2.6.8/arch/ia64/mm/hugetlbpage.c
+--- kernel-source-2.6.8.orig/arch/ia64/mm/hugetlbpage.c	2004-08-13 23:36:58.000000000 -0600
++++ kernel-source-2.6.8/arch/ia64/mm/hugetlbpage.c	2007-03-31 13:30:14.000000000 -0600
+@@ -243,7 +243,7 @@ void unmap_hugepage_range(struct vm_area
+ 
+ 	for (address = start; address < end; address += HPAGE_SIZE) {
+ 		pte = huge_pte_offset(mm, address);
+-		if (pte_none(*pte))
++		if (!pte || pte_none(*pte))
+ 			continue;
+ 		page = pte_page(*pte);
+ 		put_page(page);
+diff -urpN kernel-source-2.6.8.orig/arch/sparc64/mm/hugetlbpage.c kernel-source-2.6.8/arch/sparc64/mm/hugetlbpage.c
+--- kernel-source-2.6.8.orig/arch/sparc64/mm/hugetlbpage.c	2004-08-13 23:37:25.000000000 -0600
++++ kernel-source-2.6.8/arch/sparc64/mm/hugetlbpage.c	2007-03-31 13:30:42.000000000 -0600
+@@ -193,8 +193,7 @@ void unmap_hugepage_range(struct vm_area
+ 
+ 	for (address = start; address < end; address += HPAGE_SIZE) {
+ 		pte = huge_pte_offset(mm, address);
+-		BUG_ON(!pte);
+-		if (pte_none(*pte))
++		if (!pte || pte_none(*pte))
+ 			continue;
+ 		page = pte_page(*pte);
+ 		put_page(page);

